bob baxley

IoT Frequencies

Ever wonder which frequencies your IoT devices are using? Wonder no more: all wireless device manufacturers have to file paperwork with the FCC when they sell a device. The filing includes user manuals, a description of the device, a block diagram, operational descriptions, test reports, and photographs of the device. Under certain circumstances, some of these documents can be kept confidential; but the test report is always made public.

Luckily for all the SDR hackers out there, the test report often contains key information required to decode and perhaps even hack a wireless device. Namely, the test report submitted to the FCC will contain center frequency, channel, bandwidth, and modulation information. Couple this insight with a software-defined radio (SDR), and a little bit of code, and we can do some really cool things.

For fun, let’s query the FCC database for all original equipment applications in the past year that emit in the UHF frequencies between 600MHz and 700MHz. It is truly an IoT—we see everything from a fetal monitor (FCC ID PQC-OBRBSBV1; 111kHz channels w/ GFSK modulation at 608-614 MHz) to a wireless microphone system (FCC ID DD4-PA411A; 200kHz channels w/ FM modulation at 488 - 698 MHz) to a set-top box (FCC ID G95-C51; RF4CE Zigbee) to 4G routers (FCC ID PY3-13400244) and phones (FCC ID BCG-E2816A).

iPhone FCC Specific Absorption Rate (SAR) test result

At DEFCON this year, an enterprising SDR buff used information in the FCC database to deduce the workings of wireless signaling for various physical security/alarm systems. He was able to easily subvert the security mechanisms using about $1k in SDR hardware, open source software, and information in FCC documents. Similar proofs of concepts have been shown for SDR hacking of key fobs, cellular phones, and SCADA wireless infrastructure.

With the proliferation of IoT devices, we are seeing more and more proprietary wireless protocols being developed and deployed. These protocols inevitably introduce unforeseen wireless security vectors that will need to be monitored and mitigated.